The idea isn't to comprehensively make malicious code impossible - the idea is to make it difficult to sneak in. If the NSA wants to spend 500 billion$ to compromise an NPM package, there's very little we can do. But if waiting 3 days for security scans catch even 10% of malicious packages, that 's 10% fewer incidents everyone else has to deal with. And now people pwning maintainers must be much more sophisticated so their attacks are entirely undetected for that period.
I don't think anyone is saying cooldowns are the only thing you need - just that it's a 30sec change that should harden your code.
Also, most malicious versions seem to be detected by tools scanning new packages. People updating without cooldowns probably aren't manualy inspecting diffs. Giving tools more time to detect things seems pretty obviously good to me. Add to that maintainers reporting they've been pwned, and the floor for sneaking malicious code is much higher.
I legit do something similar to this for my ADHD. I make 6,8, or 10 item long lists of tasks, then roll a die to choose what to do. I pair it with a similar list of rewards that I can roll on when I complete a task.
Love it! I thought about allowing users to add their task lists as an A/B test but decided to keep the original version as MVP to keep it separate from conventional to-do lists.
For how long you`ve been doing this? Curious about long-term benefits if you don`t mind sharing.
I don't do it all the time, usually just when I feel swamped with a bunch of different tasks. I also try to time box it, so no matter what I roll I work on it for a predictable length of time. I think the most effective part for me is not letting myself say no to whatever comes up - I just have to do my best. I feel like it's really helpful when I'm struggling to just set down and focus on one thing.
I am thinking about adding the brain dump to the project future sscope to ease cognitive load and willingless to switch to a new shiny idea lol
Thanks a lot for sharing your experience!
reply